Add a New Host Firewall Profile

Log in to
Cortex
XDR
.
Go to
Endpoints
Policy Management
Extensions Profiles
Profiles
and select
+ New Profile
or
Import from File
. Select the
Platform
and click
Host Firewall
Next
Fill-in the
General Information
for the new profile.
Assign a
Profile Name
and optional description to the profile.
Define your
Report Settings
.
When the profile operates in report mode,
Cortex
XDR
overrides all rules set to
Block
traffic. Instead, the traffic is allowed to go through, and the enforcement event is reported as
Override Block
. You can configure a profile in report mode if you need for example to test new block rules before you actually apply them.
Configure Internal and External Rule Groups.
To apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. When enabled,
Cortex
XDR
enforces the host firewall rules based on the current location of the device within the internal organization network (
Internal Rules
), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (
External Rules
). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.
Create a New Rule or add a rules group to the
Internal/External Groups
:
Click
+Add Group
.
Select one or more groups, and click
Add
.
To quickly apply the exact same rules in both cases, select
Add as external/internal
rules groups as well.
Review the rule group field details.
The groups are listed according to the order of enforcement from top to bottom. To change this order, click on the group priority number and drag the group to the desired row.
Field	Description
Applicable Rules Count	Displays the number of rules in the specific group that are associated with the platform profile.
Created by	Displays the email address of the user that created the rule.
Creation Time	Date and time of when the rule was created.
Description	Description of the rule, if available.
Group ID	Unique rules group ID.
Group Name	Name of the group rules group.
Mode	Displays whether the rules group is enabled or not.
Modified by	Displays the email address of the last user that made changes to the group.
Modification Time	Date and time of when the group was modified.
(
Optional
) Select
View Rules
to view a list of all the rule details within the rules group. The table is filtered according to the rules associated with the platform profile you are creating.
Any
type protocol and specific ports cannot be edited. If saved as a new rule, the specific ports previously defined are removed from the cloned rule.
Allow
or
Block
the
Default Action for Inbound/Outbound Traffic
in the profile if you want to allow all network connections that have not been matched to any other rule in the profile.
(
Optional
) Manage Legacy Host Firewall Rules.
Manage Host Firewall Rules created on macOS 10 and
Cortex
XDR
agent 7.5 and prior.
Enable
Manage Host Firewall
to allow
Cortex
XDR
to manage the host firewall on your Mac endpoints.
Configure the host firewall
Internal
and
External
settings.
The host firewall settings allow or block inbound communication on your Mac endpoints.
Enable
or
Disable
the following actions:
Stealth Mode
—Hide your mac endpoint from all TCP and UDP networks by enabling the Apple Stealth mode on your endpoint.
Block All Incoming Connections
—Select where to block all incoming communications on the endpoint or not.
Application Exclusions
—Allow or block specific programs running on the endpoint using a
Bundle ID
.
If the profile is location based, you can define both internal and external settings.
Save your profile.
When you’re done,
Create
your host firewall profile.
Apply Host Firewall Profiles to Your Endpoints.

Apply Host Firewall Profiles to Your Endpoints

Log in to
Cortex
XDR
.
Go to
Endpoints
Policy Management
Extensions
Policy Rules
, and select
+New Policy
or
Import from File
.
When importing a policy, select whether to enable the associated policy targets. Rules within the imported policy are managed as follows:
New rules are added to top of the list.
Default rules override the default rule in the target tenant.
Rules without a defined target are disabled until target is specified.
Configure settings for the host firewall policy.
Assign policy name, optional description, and operating system.
Assign the host firewall profile you want to use in this rule.
Click
Next
.
Select the target endpoints on which to enforce the policy.
Use filters or manual endpoint selection to define the exact target endpoints of the policy rules.
Click
Done
.
Alternatively, you can associate the host firewall profile to an existing policy. Right-click the policy and select
Edit
. Select the
Host Firewall
profile and click
Next
. If needed, you can edit other settings in the rule (such as target endpoints, description, etc.) When you’re done, click
Done
Configure policy hierarchy.
Drag and drop the policies in the desired order of execution.
Save
the policy hierarchy.
After the policy is saved and applied to the agents,
Cortex
XDR
enforces the host firewall policies on your environment.

Monitor the Host Firewall Activity on your Endpoint